[Full-disclosure] [follow-up] razorCMS - Multiple Vulnerabilities
epixoip at hush.com
Thu Apr 16 19:26:32 BST 2009
-----BEGIN PGP SIGNED MESSAGE-----
The following was received this morning from the author of
razorCMS. It seems the threat of full disclosure really expedites
vulnerability remediation ;)
"All XSS attacks are now plugged, this has been solved. The admin
password now uses my own password hashing method that introduces
salt in at a position that is relative to the input password
length, the salt is then appended to the front of the password. ftp
password is now encrypted again using my own algorithum and is only
decrypted using a key stored in session. this way to get ftp
password they have to look at file to get ftp password then hijack
the session that is randomly changing it's session number every
refresh to get the key to unlock it. the whole system now gets
owned by apache, and the security manager has now gone, and been
replaced with security check on main page when loging in, this
checks ALL files and lets you secure ALL files. if any files are
open the big box goes red, so you would have to be blind to miss
it. This will also work for ftp mode too and just checking how much
functionality i can get out of it for windows permissions too.
There is still the option to make all files unsafe, as this can be
invaluble when uninstalling razorCMS, but it is riddled with error
messages and turns the box red, plus it's on the home page so you
will see it every time you login. Login now bans you after X
amounts of tries, for upto 60mins, you can have no more than 8
failied logins in 60mins, if you conceal your IP it will ban you
from logging in. All upto 300 records are stored in a log which
prunes itself to 300 records (all configurable) I have a file
manager to add in the mix too, so theres been a lot of effort here
to tighten things up a hell of a lot. should be about a week or two
then i'll release for testing. It's still got some rough edges."
All razorCMS users are encouraged to upgrade to the latest stable
version (0.4) once its released in "about a week or two."
One thing I accidentally left out of the disclosure below:
* A permanent XSS vulnerability has been discovered in the "Page
Title" field of the "Create New Page" form, making it vulnerable to
permanent XSS viruses. Any script tags appended to the page title
will be executed on every page view and executed three times every
time the Content Manager is accessed in the admin section.
This presumably has been fixed for the new release per the author's
On Thu, 16 Apr 2009 02:13:23 -0700 Jeremi Gosney <epixoip at hush.com>
>Multiple Vulnerability Disclosure for razorCMS
>A recent security audit has uncovered multiple security
>vulnerabilities in the latest version (0.3RC2) and all previous
>versions of razorCMS CORE by Morgan Integrated Systems. From the
>vendor site: "razorCMS is an open source content management system
>written in PHP, using a flat file database structure instead of
>having a separate database. It has been released under the GNU
>General Public License." http://razorcms.co.uk,
>* The razorCMS install script sets mode 0644 on
>admin/core/admin_config.php, which contains the site owner's
>cleartext FTP credentials and a sha1sum hash of the site admin
>password. Any local user has access to these credentials, and the
>admin password can easily be cracked offline (rainbow tables,
>force, etc). The vendor is planning for the use of stronger file
>permissions, two-way encryption for FTP credentials, and stronger
>salted hashes for admin passwords in the next release (version
>* razorCMS requires a laundry list of files to be mode 0777 for
>installation, and promises to correct these permissions after
>installation. The razorCMS install script leaves the following
>directories in mode 0777 after installation: the razorCMS root
>directory, the datastore/ directory, and the admin/core/
>The issue with this should be readily apparent to you. The vendor
>is considering fixing the installer in the next release.
>* The razorCMS Security Manager is "used to ensure apache owned
>files have safe permissions set." In theory, if the Security
>Manager detects any insecure files, it will display a warning
>message and instructs the user to click a button to "secure" the
>site. By the same token, if all files are found to be secure, the
>Security Manager will display "All files are currently safe." The
>problem is the Security Manager doesn't actually *do* anything --
>it only checks the file permissions of a handful of files, and not
>even all of the Apache-owned files like it states. If a user were
>to recursively chmod the razorCMS installation to 0777 (which may
>be tempting for a novice user to do due to the large number of
>files the installer requires to be mode 0777) and then rely on the
>Security Manager to secure the site, nearly all files and
>directories would be left in mode 0777 and the Security Manager
>would report "All files are currently safe." The vendor does not
>feel that this tool is broken, just that the phrase "All files" is
>misleading and the wording should be changed. I have been
>unsuccessful in convincing the vendor that the Security Manager
>should *actually* secure the site, so don't expect this to be
>* Several cross-site scripting vulnerabilities have been
>discovered in the razorCMS admin section, and will be fixed for
>* razorCMS has the ability to save content as .php files
>(behaviour enabled by default, may be changed in the 'Settings'
>area to html). This allows arbitrary PHP code to be injected into
>any page, enabling the owner to run commands on the server with
>privileges of the web server. This may also be exploited remotely
>through a cross-site request forgery attack: for example, in an
>effort to steal user credentials, an authenticated admin may be
>tricked into submitting a malicious form that creates a page on
>their site containing something like <?php system("cat
>../../admin/core/admin_config.php"); ?>. The vendor has no plans
>change this behaviour.
>04.06.2009 - Initial vendor notification.
>04.07.2009 - Vendor dispustes vulnerabilities.
>04.07.2009 - Vulnerabilities explained.
>04.07.2009 - Vendor begins to implement certain fixes, refuses to
>04.07.2009 - Vulnerabilities explained again.
>04.07.2009 - Vendor continues to dispute some vulnerabilities.
>04.15.2009 - Vendor notified for last time.
>04.16.2009 - Public Disclosure.
-----BEGIN PGP SIGNATURE-----
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
-----END PGP SIGNATURE-----
Full-Disclosure is hosted and sponsored by Secunia.